From owner-freebsd-questions@FreeBSD.ORG Tue May 9 15:16:52 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5851A16A459 for ; Tue, 9 May 2006 15:16:52 +0000 (UTC) (envelope-from jad@nominet.org.uk) Received: from mx3.nominet.org.uk (mx3.nominet.org.uk [213.248.199.23]) by mx1.FreeBSD.org (Postfix) with ESMTP id 136DA43D78 for ; Tue, 9 May 2006 15:16:40 +0000 (GMT) (envelope-from jad@nominet.org.uk) Received: from wds1.okna.nominet.org.uk (HELO notes1.nominet.org.uk) ([213.248.197.128]) by mx3.nominet.org.uk with ESMTP; 09 May 2006 16:16:40 +0100 X-IronPort-AV: i="4.05,106,1146438000"; d="scan'208"; a="3742240:sNHT31897696" In-Reply-To: <20060509145403.71699.qmail@web32413.mail.mud.yahoo.com> To: "M. Goodell" MIME-Version: 1.0 X-Mailer: Lotus Notes Release 6.5.5 November 30, 2005 Message-ID: From: jad@nominet.org.uk Date: Tue, 9 May 2006 16:16:35 +0100 X-MIMETrack: Serialize by Router on notes1/Nominet(Release 6.5.3|September 14, 2004) at 05/09/2006 04:16:34 PM, Serialize complete at 05/09/2006 04:16:34 PM Content-Type: text/plain; charset="US-ASCII" Cc: FreeBSD Questions Subject: Re: System Intrustion Detection X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 May 2006 15:16:56 -0000 Hi, I would suggest using ssh with RSA key pairs and passphrases only. Dont allow password based login or root login over ssh. Only allow root to login using the console and use sudo for all admin tasks. I have not tried this myself but you could use tcpwrappers and write a script to add the IP address from repeated failed messages to the hosts.deny file. There are various scripts already written to do this. A quick goggle search found this http://security.linux.com/article.pl?sid=05/09/15/1655234 (its about linux but I am sure the same approach applies to FreeBSD.) Hope this helps John owner-freebsd-questions@freebsd.org wrote on 09/05/2006 15:54:03: > More and more each day I am seeing my root emails contain hundreds > of entries like this: > > May 8 02:23:35 warpstone sshd[26092]: Failed password for root > from 222.185.245.208 port 50519 ssh2 > May 8 16:37:41 warpstone ftpd[34713]: FTP LOGIN FAILED FROM 211.44. > 250.152, Administrator > > Basically, people are attemtpting to hack into my server often > with a few thousands of attempts each day. What measures can I take > to stop these attempts? Is there a way I can detect these attacks > and automatically cut them off? Are any of the security ports > effective against this? > > Thank you! > > M Goodell > > > --------------------------------- > Yahoo! Messenger with Voice. PC-to-Phone calls for ridiculously low rates. > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"